Solved: Re: CISCO ISE Devices failing authorization policy randomly

FrankH31494 · ‎03-17-2021

Having an issue with several hosts. Periodically, they will try to reference their host mac address, instead of using the computer’s AD account. I am reviewing the radius logs, and comparing a failed authorization attempt and a successful one. On the failed one, I will get the following

15013 Selected Identity Source - Internal Endpoints
24209 Looking up Endpoint in Internal Endpoints IDStore - D8:CB:8A:87:E9:22
24211 Found Endpoint in Internal Endpoints IDStore
22037 Authentication Passed
24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
15036 Evaluating Authorization Policy
15048 Queried PIP - EndPoints.LogicalProfile
15048 Queried PIP - EndPoints.EndPointPolicy
15048 Queried PIP - DEVICE.Phase
15016 Selected Authorization Profile - Wired_Deny_All

Currently using ISE version 2.6.0.156

FrankH31494 · ‎03-18-2021

I figured it out. it looks like the host, had Jumbo packets turned on for the ethernet adapter. I disabled it, and it's now working. Thanks for your help and input.

View solution in original post

Mike.Cifelli · ‎03-17-2021

IMO to me this sounds like 802.1x is terminating on the respective clients, and then attempting to onboard via mab. During the onboard attempt via mab the hosts are not matching any mab authz policies, and therefore hitting deny all. I think for the community to better assist we need more information such as:

-Supplicant used (native/nam)?

-Supplicant configuration

-802.1x configuration/Interface configuration

-Any other notable discrepancies between the troubled clients versus the other working clients

FrankH31494 · ‎03-17-2021

Host is windows 10 Enterprise. using the Native supplicant.

set for Microsoft: smartcard or other certificate.

wired connection. service wired autoconfig is enabled and running.

switchport access vlan 8675
switchport mode access
switchport nonegotiate
switchport voice vlan 309
device-tracking attach-policy device-tracking
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
trust device cisco-phone
no snmp trap link-status
mab
storm-control broadcast level 20.00
storm-control action trap
dot1x pae authenticator
dot1x timeout tx-period 7
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
end

Mike.Cifelli · ‎03-18-2021

Are you doing 'Computer Auth' only and is that configured on native supp? Have you attempted to run any debugs on the switch?

debug dot1x all

debug radius authentication

debug eap all

Something is causing 802.1x to terminate to then fallover to mab.

FrankH31494 · ‎03-18-2021

I figured it out. it looks like the host, had Jumbo packets turned on for the ethernet adapter. I disabled it, and it's now working. Thanks for your help and input.